Wednesday, January 23, 2008

If you are concerned about the security of your logs, use a dedicated machine and lock it down.

Keep clocks in sync.

You may need to change log rotation schedule in /etc/newsyslog.conf. You can rotate based in size and/or time. This can be as much a policy decision as a hardware decision.

On central log host, change syslogd flags to listen to network. Each BSD does this differently, so check the man pages. Also, check out the -n flag for busy environments.

Make sure host firewall allows syslog traffic through.

Be careful to limit syslog traffic to just the trusted network or hosts. FreeBSD man page refers to syslogd as a "remote disk filling service".

For heavy logging environments, it is important to have a dedicated network. A down syslogd server can create a lot of "ARP who-has" broadcasts.

Most network devices such as printers and commercial firewalls support sending to a central syslog server. Take a look at "Snare" for Windows hosts.

To send messages from a Unix host, specify the host name prepended with @ instead of a file for logging in /etc/syslog.conf. For example, change /var/log/xferlog to @loghost.mydomain.biz. You can also copy and edit the line to have it log to both a local file and a remote host.

6 comments:

About a year ago I setup a central syslog server where I work. It uses stunnel to tunnel the log messages over SSL to avoid sending log messages 'over the wire' in plain text.

We're using syslog-ng with a custom log file format (the format is a SQL insert) and writing the log messages to a named pipe and running them into a MySQL database. We use php-syslog-ng and phpsyslogviewer to view, search and manage the database.

Hello Mr, I was wondering if you would mind if I wrote a little article regarding two of your interviews done for this site. The first link would be to your interview with RMS (bsdtalk 132) and the second one would be the interview with Claudio Jeker from OpenBSD (bsdtalk 095). I would make a little introduction to your site and post a proper link, after which I would add another two links to your articles regarding the interviews mentioned above.

I wanted to contact you through e-mail but I haven't managed to find any in this site, if it's here. Sorry for my english.